OAuth 2.1 authorization endpoint
Authorization-code + PKCE endpoint for AI assistant clients. Accepts a user JWT via Authorization bearer or local consent form.
Headers
HMAC-SHA256 signature: HMAC-SHA256(secretKey, timestamp + METHOD + path + body). Optional -- when omitted, HMAC verification is skipped.
Request timestamp in epoch milliseconds. Required when x-signature is provided. Rejected if drift exceeds 5 minutes.
Query Parameters
"code"
"echozero-cli"
"http://127.0.0.1:8765/callback"
Space-delimited OAuth scopes mapped to MCP API scopes.
"read:agents read:strategies write:agents"
"S256"
User JWT access token for browserless/local flows. Prefer Authorization: Bearer in API clients.